- 學位論文
建構於階層式管理下之Mobile IP全域認證與換手機制
A Global Authentication and Handoff Scheme Based on Hierarchical Mobility Management in Mobile IP
摘要
摘要 在本論文中,我們提出了一個建構於階層式管理下之全域認證與新的漫遊換手機制應用於Mobile IP。在我們的架構中,我們利用了票據(Ticket)和憑證(Credential)這兩個機制來減少認證資料量、家網域的註冊次數以及換手的問題。另外,我們採用密碼學的技巧來使得我們的架構可以滿足安全上的需求。 在我們的第一個方法中,我們使用了票據的機制來達到我們的目的。首先,在我們的階層式管理的架構下,當使用者在第一次漫遊到其它網域時,使用者與他本身的家網域進行註冊及認證,在被認證成功後,使用者可以利用所得到當地網域的票在當地網域進行漫遊。在這個機制中,當使用者在同一個網域下漫遊時,使用者可以與外部代理人(Foreign Agent, FA)直接做到相互認證,另外,當使用者大範圍的移動到其它網域時,使用者仍然不需要回到家網域去註冊,使用者只要使用另一張屬於當地網域的票與當地網域的管理者進行註冊與認證即可。在第一個方法中,我們利用了對稱式加密法的技巧來保護資料的安全性。 在第二個方法中,借由利用憑證的機制,我們可以更為減少認證的訊息量。在使用者被家網域確認為合法使用者後,使用者將會得到一張憑證。當使用者漫遊到其它網域時,使用者只要拿這張憑證與當地網域的管理者進行註冊與認證來確定身份的合法性。在這個方法中,我們利用了非對稱加密法來做為我們系統上的安全考量。 我們研究主要貢獻有下列幾點: (1)我們在Mobile IP中提出了一個新的全域認證與換手 機制的方法去減少家網域的註冊次數以及解決頻繁的換手問題。 (2)當使用者在同一網域下漫遊時,使用者可以與外部代理人(FA)直接做到相互認證,確認使用者的合法性。 (3)在我們的架構中,即使使用者大範圍的移動到其它網域時,使用者仍然不需要回到家網域去做註冊與認證的動作,進而達到全域認證的目的。 (4)在我們提出的兩個方法中,皆可以抵抗各種攻擊以達到安全上的需求。 我們相信運用本論文所提出的架構將會對於在Mobile IP上的認證與換手機制方面上會有許多的貢獻與幫助。
並列摘要
Abstract In this thesis, we propose a new global authentication and handoff scheme based on hierarchical mobility management in mobile ip. In the midst of our framework, two methods with ticket and credential mechanisms are presented separately. We make use of these two methods to reduce the overhead of authentication, home registration and handoff problems in Mobile IP effectively. In addition, we adopt cryptography to make our structure safer. In the first proposed protocol, we make use of the ticket mechanism to reach our purposes. Firstly, based on our hierarchical mobility management, when Mobile Node (MN) registers and is authenticated successfully to be a lawful user by its HA, MN can roams at local region with a given ticket. By this mechanism, the processes of authentication among different Foreign Agents (FAs) are removed. Furthermore, when MN macro-moves to anther visit domain, MN uses another ticket to register and be authenticated with local management and derive service. In the part of the security, we employ symmetric encryption that can make the speed of operation faster and reduce the operation cost. The main purpose of second protocol is to decrease message flow of authentication by credential mechanism. After confirming MN’s legality, MN will be given a credential. When MN roams to other visit domains, it so long as take this credential to register and be authenticated with management. In the part of the security is the same as the first proposed. The contributions of our proposed schemes are as follows (1) We propose a new global authentication and handoff scheme in Mobile IP which suits for hierarchical mobility management to reduce the overhead of home registration and solve frequent handoff problem. (2) When MN micro-moves in the visit domain, the mutual authentication can be achieved between the MN and the visited FA. (3) In our structure, even MN macro-moves to another visit domain, it still need not to register and be authenticated with its HA to reach the global roaming purpose. (4) Both of our proposed schemes can prevent the various attacks to meet the demand of security. It is believed that the results of our study in this thesis will be much helpful to future research in the scope of the authentication and handoff in Mobile IP.